From e46f3b4af397fec3cd62ee90ccb891984904219f Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 17 Oct 2023 11:23:32 +0900 Subject: [PATCH] Drop default password The default password was deprecated some time ago[1]. [1] 2df992faf3d2a6c845b6bbe302fb956b77307c50 Change-Id: I517fc45081015156e71cd0c77fd2992876e1a22e --- manifests/keymaster.pp | 12 ++---- manifests/keystone/auth.pp | 20 +++------- manifests/proxy/authtoken.pp | 19 +++------- manifests/proxy/ceilometer.pp | 19 +++------- manifests/proxy/s3token.pp | 22 ++++------- .../require-password-a524fb4dc86a4d83.yaml | 5 +++ spec/classes/swift_keymaster_spec.rb | 15 +++++--- spec/classes/swift_proxy_authtoken_spec.rb | 38 +++++++++++-------- spec/classes/swift_proxy_ceilometer_spec.rb | 30 +++++++++------ spec/classes/swift_proxy_s3token_spec.rb | 23 ++++++----- 10 files changed, 97 insertions(+), 106 deletions(-) create mode 100644 releasenotes/notes/require-password-a524fb4dc86a4d83.yaml diff --git a/manifests/keymaster.pp b/manifests/keymaster.pp index 4b3465c5..beafaeb6 100644 --- a/manifests/keymaster.pp +++ b/manifests/keymaster.pp @@ -2,6 +2,9 @@ # # == Parameters # +# [*password*] +# (Required) String. The password to go with the Keystone username. +# # [*api_class*] # (Required) String. The api_class tells Castellan which key manager to # use to access the external key management system. The default value that @@ -19,9 +22,6 @@ # from the KMS. The username shall be set to match an existing user. # Defaults to swift. # -# [*password*] -# (Required) String. The password to go with the Keystone username. -# # [*project_name*] # (Optional) String. The Keystone project name. For security reasons, # it is recommended to set the project_name to a project separate from the @@ -69,10 +69,10 @@ # Thiago da Silva thiago@redhat.com # class swift::keymaster( + String[1] $password, $api_class = 'barbican', $key_id = undef, $username = 'swift', - $password = undef, $project_name = 'services', $project_id = undef, $auth_endpoint = undef, @@ -85,10 +85,6 @@ class swift::keymaster( include swift::deps - if $password == undef { - warning('password parameter is missing') - } - swift_keymaster_config { 'kms_keymaster/api_class': value => $api_class; 'kms_keymaster/key_id': value => $key_id; diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index ff1ede1f..bcd10415 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -7,14 +7,14 @@ # # === Parameters: # +# [*password*] +# String. The user's password. +# Required. +# # [*auth_name*] # String. The name of the user. # Optional. Defaults to 'swift'. # -# [*password*] -# String. The user's password. -# Optional. Defaults to 'swift_password'. -# # [*tenant*] # (Optional) The tenant to use for the swift service user # Defaults to 'services' @@ -108,8 +108,8 @@ # This url should *not* contain any trailing '/'. # class swift::keystone::auth( + String[1] $password, $auth_name = 'swift', - $password = undef, $tenant = 'services', $roles = ['admin'], $system_scope = 'all', @@ -137,14 +137,6 @@ class swift::keystone::auth( include swift::deps - if $password == undef { - warning('Usage of the default password is deprecated and will be removed in a future release. \ -Please set password parameter') - $password_real = 'swift_password' - } else { - $password_real = $password - } - if $service_name == $service_name_s3 { fail('swift::keystone::auth parameters service_name and service_name_s3 must be different.') } @@ -165,7 +157,7 @@ Please set password parameter') service_description => $service_description, region => $region, auth_name => $auth_name, - password => $password_real, + password => $password, email => $email, tenant => $tenant, roles => $roles, diff --git a/manifests/proxy/authtoken.pp b/manifests/proxy/authtoken.pp index bcc3d4c4..5e2696a7 100644 --- a/manifests/proxy/authtoken.pp +++ b/manifests/proxy/authtoken.pp @@ -4,6 +4,9 @@ # # == Parameters # +# [*password*] +# (Required) The password for the user +# # [*delay_auth_decision*] # (Optional) Do not handle authorization requests within the middleware, but # delegate the authorization decision to downstream WSGI components. Boolean value @@ -33,10 +36,6 @@ # (Optional) id of domain for $username # Defaults to 'default' # -# [*password*] -# (Optional) The password for the user -# Defaults to 'password' -# # [*project_name*] # (Optional) Service project name # Defaults to 'services' @@ -94,6 +93,7 @@ # Copyright 2012 Puppetlabs Inc, unless otherwise noted. # class swift::proxy::authtoken( + String[1] $password, $delay_auth_decision = 1, $cache = 'swift.cache', $www_authenticate_uri = 'http://127.0.0.1:5000', @@ -101,7 +101,6 @@ class swift::proxy::authtoken( $auth_type = 'password', $username = 'swift', $user_domain_id = 'default', - $password = undef, $project_name = 'services', $project_domain_id = 'default', $system_scope = $facts['os_service_default'], @@ -115,14 +114,6 @@ class swift::proxy::authtoken( include swift::deps - if $password == undef { - warning('Usage of the default password is deprecated and will be removed in a future release. \ -Please set password parameter') - $password_real = 'password' - } else { - $password_real = $password - } - if is_service_default($system_scope) { $project_name_real = $project_name $project_domain_id_real = $project_domain_id @@ -139,7 +130,7 @@ Please set password parameter') 'filter:authtoken/auth_type': value => $auth_type; 'filter:authtoken/username': value => $username; 'filter:authtoken/user_domain_id': value => $user_domain_id; - 'filter:authtoken/password': value => $password_real, secret => true; + 'filter:authtoken/password': value => $password, secret => true; 'filter:authtoken/project_name': value => $project_name_real; 'filter:authtoken/project_domain_id': value => $project_domain_id_real; 'filter:authtoken/system_scope': value => $system_scope; diff --git a/manifests/proxy/ceilometer.pp b/manifests/proxy/ceilometer.pp index 29d070a1..37b8907a 100644 --- a/manifests/proxy/ceilometer.pp +++ b/manifests/proxy/ceilometer.pp @@ -7,6 +7,9 @@ # # == Parameters # +# [*password*] +# (Required) The password for the user +# # [*default_transport_url*] # (optional) A URL representing the messaging driver to use and its full # configuration. Transport URLs take the form: @@ -65,10 +68,6 @@ # (Optional) name of domain for $username # Defaults to 'default' # -# [*password*] -# (Optional) The password for the user -# Defaults to 'password' -# # [*region_name*] # (Optional) The region in which the identity server can be found. # Defaults to $facts['os_service_default']. @@ -162,6 +161,7 @@ # Copyright 2013 eNovance licensing@enovance.com # class swift::proxy::ceilometer( + String[1] $password, $default_transport_url = undef, $driver = $facts['os_service_default'], $topic = undef, @@ -176,7 +176,6 @@ class swift::proxy::ceilometer( $system_scope = $facts['os_service_default'], $username = 'swift', $user_domain_name = 'Default', - $password = undef, $region_name = $facts['os_service_default'], $notification_ssl_ca_file = $facts['os_service_default'], $notification_ssl_cert_file = $facts['os_service_default'], @@ -199,14 +198,6 @@ class swift::proxy::ceilometer( Package['python-ceilometermiddleware'] ~> Service<| title == 'swift-proxy-server' |> - if $password == undef { - warning('Usage of the default password is deprecated and will be removed in a future release. \ -Please set password parameter') - $password_real = 'password' - } else { - $password_real = $password - } - if is_service_default($system_scope) { $project_name_real = $project_name $project_domain_name_real = $project_domain_name @@ -230,7 +221,7 @@ Please set password parameter') 'filter:ceilometer/system_scope': value => $system_scope; 'filter:ceilometer/username': value => $username; 'filter:ceilometer/user_domain_name': value => $user_domain_name; - 'filter:ceilometer/password': value => $password_real, secret => true; + 'filter:ceilometer/password': value => $password, secret => true; 'filter:ceilometer/region_name': value => $region_name; } diff --git a/manifests/proxy/s3token.pp b/manifests/proxy/s3token.pp index 445fc6e2..e368bd43 100644 --- a/manifests/proxy/s3token.pp +++ b/manifests/proxy/s3token.pp @@ -4,6 +4,11 @@ # # === Parameters # +# [*password*] +# (Required) Keystone credentials used for secret caching +# The password for the user +# Defaults to password +# # [*auth_uri*] # (optional) The Keystone server uri # Defaults to http://127.0.0.1:5000 @@ -50,11 +55,6 @@ # id of domain for $username # Defaults to default # -# [*password*] -# (Optional) Keystone credentials used for secret caching -# The password for the user -# Defaults to password -# # [*project_name*] # (Optional) Keystone credentials used for secret caching # Service project name @@ -82,6 +82,7 @@ # Copyright 2012 eNovance licensing@enovance.com # class swift::proxy::s3token( + String[1] $password, $auth_uri = 'http://127.0.0.1:5000', $reseller_prefix = 'AUTH_', $delay_auth_decision = false, @@ -91,7 +92,6 @@ class swift::proxy::s3token( $auth_type = 'password', $username = 'swift', $user_domain_id = 'default', - $password = undef, $project_name = 'services', $project_domain_id = 'default', $system_scope = $facts['os_service_default'], @@ -99,14 +99,6 @@ class swift::proxy::s3token( include swift::deps - if $password == undef { - warning('Usage of the default password is deprecated and will be removed in a future release. \ -Please set password parameter') - $password_real = 'password' - } else { - $password_real = $password - } - if is_service_default($system_scope) { $project_name_real = $project_name $project_domain_id_real = $project_domain_id @@ -126,7 +118,7 @@ Please set password parameter') 'filter:s3token/auth_type': value => $auth_type; 'filter:s3token/username': value => $username; 'filter:s3token/user_domain_id': value => $user_domain_id; - 'filter:s3token/password': value => $password_real, secret => true; + 'filter:s3token/password': value => $password, secret => true; 'filter:s3token/project_name': value => $project_name_real; 'filter:s3token/project_domain_id': value => $project_domain_id_real; 'filter:s3token/system_scope': value => $system_scope; diff --git a/releasenotes/notes/require-password-a524fb4dc86a4d83.yaml b/releasenotes/notes/require-password-a524fb4dc86a4d83.yaml new file mode 100644 index 00000000..12a4480b --- /dev/null +++ b/releasenotes/notes/require-password-a524fb4dc86a4d83.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + The default password value has been removed and now the ``password`` + parameters are required. diff --git a/spec/classes/swift_keymaster_spec.rb b/spec/classes/swift_keymaster_spec.rb index e9163d76..c8f0c339 100644 --- a/spec/classes/swift_keymaster_spec.rb +++ b/spec/classes/swift_keymaster_spec.rb @@ -2,10 +2,17 @@ require 'spec_helper' describe 'swift::keymaster' do shared_examples 'swift::keymaster' do + let :params do + { + :password => 'swiftpassword' + } + end + context "when using default parameters" do it 'configures keymaster options' do is_expected.to contain_swift_keymaster_config('kms_keymaster/api_class').with_value('barbican') is_expected.to contain_swift_keymaster_config('kms_keymaster/username').with_value('swift') + is_expected.to contain_swift_keymaster_config('kms_keymaster/password').with_value('swiftpassword').with_secret(true) is_expected.to contain_swift_keymaster_config('kms_keymaster/project_name').with_value('services') is_expected.to contain_swift_keymaster_config('kms_keymaster/project_domain_id').with_value('default') is_expected.to contain_swift_keymaster_config('kms_keymaster/user_domain_id').with_value('default') @@ -14,21 +21,19 @@ describe 'swift::keymaster' do end describe "when overriding default parameters" do - let :params do - { + before :each do + params.merge!({ :api_class => 'castellan.key_manager.barbican_key_manager.BarbicanKeyManager', :key_id => 'dummy_key_id', - :password => 'fake_password', :auth_endpoint => 'http://127.0.0.1:5000', :project_name => 'barbican_swift_service', :meta_version_to_write => 3, - } + }) end it 'configures keymaster options' do is_expected.to contain_swift_keymaster_config('kms_keymaster/api_class').with_value('castellan.key_manager.barbican_key_manager.BarbicanKeyManager') is_expected.to contain_swift_keymaster_config('kms_keymaster/key_id').with_value('dummy_key_id') - is_expected.to contain_swift_keymaster_config('kms_keymaster/password').with_value('fake_password').with_secret(true) is_expected.to contain_swift_keymaster_config('kms_keymaster/auth_endpoint').with_value('http://127.0.0.1:5000') is_expected.to contain_swift_keymaster_config('kms_keymaster/project_name').with_value('barbican_swift_service') is_expected.to contain_swift_keymaster_config('kms_keymaster/meta_version_to_write').with_value('3') diff --git a/spec/classes/swift_proxy_authtoken_spec.rb b/spec/classes/swift_proxy_authtoken_spec.rb index 6721bf6f..9633951e 100644 --- a/spec/classes/swift_proxy_authtoken_spec.rb +++ b/spec/classes/swift_proxy_authtoken_spec.rb @@ -2,6 +2,12 @@ require 'spec_helper' describe 'swift::proxy::authtoken' do shared_examples 'swift::proxy::authtoken' do + let :params do + { + :password => 'swiftpassword', + } + end + describe "when using default parameters" do it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/paste.filter_factory').with_value('keystonemiddleware.auth_token:filter_factory') } @@ -10,7 +16,7 @@ describe 'swift::proxy::authtoken' do it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_type').with_value('password') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/username').with_value('swift') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/user_domain_id').with_value('default') } - it { is_expected.to contain_swift_proxy_config('filter:authtoken/password').with_value('password').with_secret(true) } + it { is_expected.to contain_swift_proxy_config('filter:authtoken/password').with_value('swiftpassword').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_name').with_value('services') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_domain_id').with_value('default') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/system_scope').with_value('') } @@ -25,8 +31,8 @@ describe 'swift::proxy::authtoken' do end describe "when overriding parameters" do - let :params do - { + before :each do + params.merge!({ :username => 'swiftuser', :password => 'swiftpassword', :project_name => 'admin', @@ -37,7 +43,7 @@ describe 'swift::proxy::authtoken' do :service_token_roles_required => true, :service_type => 'identity', :interface => 'internal', - } + }) end it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') } @@ -62,29 +68,31 @@ describe 'swift::proxy::authtoken' do end describe 'when overriding www_authenticate_uri' do - let :params do - { :www_authenticate_uri => 'http://public.host/keystone/main' } + before :each do + params.merge!({ + :www_authenticate_uri => 'http://public.host/keystone/main' + }) end it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('http://public.host/keystone/main') } end describe "when auth_url is set" do - let :params do - { + before :each do + params.merge!({ :auth_url => 'https://foo.bar:5000/' - } + }) end it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_url').with_value('https://foo.bar:5000/') } end describe "when both www_authenticate_uri and auth_url are set" do - let :params do - { + before :each do + params.merge!({ :www_authenticate_uri => 'https://foo.bar:5000/v3/', :auth_url => 'https://foo.bar:5000/' - } + }) end it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('https://foo.bar:5000/v3/') } @@ -92,10 +100,10 @@ describe 'swift::proxy::authtoken' do end describe 'when system_scope is set' do - let :params do - { + before :each do + params.merge!({ :system_scope => 'all' - } + }) end it { is_expected.to contain_swift_proxy_config('filter:authtoken/project_name').with_value('') } diff --git a/spec/classes/swift_proxy_ceilometer_spec.rb b/spec/classes/swift_proxy_ceilometer_spec.rb index c0be2c2f..c1a9faef 100644 --- a/spec/classes/swift_proxy_ceilometer_spec.rb +++ b/spec/classes/swift_proxy_ceilometer_spec.rb @@ -9,14 +9,21 @@ describe 'swift::proxy::ceilometer' do end shared_examples 'swift::proxy::ceilometer' do + + let :params do + { + :password => 'swiftpassword' + } + end + describe "when using default parameters" do - let :params do - { + before :each do + params.merge!({ :default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit', - } + }) end - it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password').with_secret(true) } + it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('swiftpassword').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('false') } @@ -29,8 +36,9 @@ describe 'swift::proxy::ceilometer' do end describe "when overriding default parameters with rabbit driver" do - let :params do - { :default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit', + before :each do + params.merge!({ + :default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit', :driver => 'messagingv2', :topic => 'notifications', :control_exchange => 'swift', @@ -42,9 +50,8 @@ describe 'swift::proxy::ceilometer' do :user_domain_name => 'Default', :project_name => 'services', :username => 'swift', - :password => 'mypassword', :region_name => 'region2' - } + }) end context 'with single rabbit host' do @@ -62,7 +69,6 @@ describe 'swift::proxy::ceilometer' do it { is_expected.to contain_swift_proxy_config('filter:ceilometer/system_scope').with_value('') } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/username').with_value('swift') } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/user_domain_name').with_value('Default') } - it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('mypassword').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/region_name').with_value('region2') } end @@ -116,11 +122,11 @@ describe 'swift::proxy::ceilometer' do end describe 'when system_scope is set' do - let :params do - { + before :each do + params.merge!({ :default_transport_url => 'rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit', :system_scope => 'all' - } + }) end it { is_expected.to contain_swift_proxy_config('filter:ceilometer/project_name').with_value('') } diff --git a/spec/classes/swift_proxy_s3token_spec.rb b/spec/classes/swift_proxy_s3token_spec.rb index 3929a5c3..8c38d409 100644 --- a/spec/classes/swift_proxy_s3token_spec.rb +++ b/spec/classes/swift_proxy_s3token_spec.rb @@ -2,6 +2,12 @@ require 'spec_helper' describe 'swift::proxy::s3token' do shared_examples 'swift::proxy::s3token' do + let :params do + { + :password => 'swiftpassword' + } + end + describe "when using default parameters" do it { is_expected.to contain_swift_proxy_config('filter:s3token/use').with_value('egg:swift#s3token') } it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_uri').with_value('http://127.0.0.1:5000') } @@ -13,15 +19,15 @@ describe 'swift::proxy::s3token' do it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_type').with_value('password') } it { is_expected.to contain_swift_proxy_config('filter:s3token/username').with_value('swift') } it { is_expected.to contain_swift_proxy_config('filter:s3token/user_domain_id').with_value('default') } - it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('password').with_secret(true) } + it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swiftpassword').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('services') } it { is_expected.to contain_swift_proxy_config('filter:s3token/project_domain_id').with_value('default') } it { is_expected.to contain_swift_proxy_config('filter:s3token/system_scope').with_value('') } end describe "when overriding default parameters" do - let :params do - { + before :each do + params.merge!({ :auth_uri => 'http://192.168.24.11:5000', :reseller_prefix => 'SWIFT_', :delay_auth_decision => true, @@ -30,11 +36,10 @@ describe 'swift::proxy::s3token' do :auth_url => 'http://192.168.24.11:5000', :auth_type => 'password', :username => 'swift', - :password => 'swift', :project_name => 'admin', :project_domain_id => '12345', :user_domain_id => '12345' - } + }) end it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_uri').with_value('http://192.168.24.11:5000') } @@ -46,17 +51,17 @@ describe 'swift::proxy::s3token' do it { is_expected.to contain_swift_proxy_config('filter:s3token/auth_type').with_value('password') } it { is_expected.to contain_swift_proxy_config('filter:s3token/username').with_value('swift') } it { is_expected.to contain_swift_proxy_config('filter:s3token/user_domain_id').with_value('12345') } - it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swift').with_secret(true) } + it { is_expected.to contain_swift_proxy_config('filter:s3token/password').with_value('swiftpassword').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('admin') } it { is_expected.to contain_swift_proxy_config('filter:s3token/project_domain_id').with_value('12345') } it { is_expected.to contain_swift_proxy_config('filter:s3token/system_scope').with_value('') } end describe 'when system_scope is set' do - let :params do - { + before :each do + params.merge!({ :system_scope => 'all' - } + }) end it { is_expected.to contain_swift_proxy_config('filter:s3token/project_name').with_value('') }